Skip to content

Fix: Addressed out-of-bands read from a buffer in udp_rx_dequeue function #1320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix: Addressed out-of-bands read from a buffer in udp_rx_dequeue function #1320

wants to merge 2 commits into from

Conversation

@soopel
Copy link
Contributor

@soopel soopel commented Nov 14, 2025

  • Guarded udp_rx_dequeue against truncated mbufs by comparing rte_pktmbuf_pkt_len(pkt) with sizeof(struct mt_udp_hdr) and bailing with EBADMSG if the headers aren’t fully present.
  • Recomputed the payload pointer via rte_pktmbuf_mtod_offset and validated the UDP payload length against both the UDP header value and the actual bytes available in the mbuf before any rte_memcpy, preventing the out-of-bounds read.
  • Logged richer diagnostics (using signed widths) and set errno when malformed packets are detected so callers receive a clear failure instead of silent drops.

@soopel soopel requested a review from Copilot November 14, 2025 13:26
Copilot AI reviewed Nov 14, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a critical security vulnerability in the UDP receive path by adding comprehensive validation to prevent out-of-bounds buffer reads. The changes guard against malformed or truncated packets that could cause memory safety issues.

Key changes:

  • Added packet length validation before header access to ensure headers are fully present
  • Implemented payload bounds checking against both UDP header length and actual mbuf capacity
  • Enhanced error reporting with detailed diagnostics and proper errno setting

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@soopel
Addressed the Coverity-reported UDP dequeue issue by tightening the h…
0222502 
…eader/payload bounds checks, switching to a safe payload pointer, and rebuilding to ensure everything still compiles—here’s the rundown.

Actions taken
Guarded udp_rx_dequeue against truncated mbufs by comparing rte_pktmbuf_pkt_len(pkt) with sizeof(struct mt_udp_hdr) and bailing with EBADMSG if the headers aren’t fully present.
Recomputed the payload pointer via rte_pktmbuf_mtod_offset and validated the UDP payload length against both the UDP header value and the actual bytes available in the mbuf before any rte_memcpy, preventing the out-of-bounds read.
Logged richer diagnostics (using signed widths) and set errno when malformed packets are detected so callers receive a clear failure instead of silent drops.
@soopel soopel force-pushed the mswirydc_coverity_551169 branch from 78959ec to 0222502 Compare November 14, 2025 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Sakoram Sakoram Awaiting requested review from Sakoram Sakoram is a code owner

@DawidWesierski4 DawidWesierski4 Awaiting requested review from DawidWesierski4 DawidWesierski4 is a code owner

@Falron98 Falron98 Awaiting requested review from Falron98 Falron98 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@soopel